Created attachment 510376 [details] Patch for fix Description of problem: When running ipa-replica-install, it will fail at the following step: Configuring the web interface: Estimated time 1 minute [1/11]: disabling mod_ssl in httpd [2/11]: setting mod_nss port to 443 [3/11]: setting mod_nss password file [4/11]: adding URL rewriting rules [5/11]: configuring httpd [6/11]: setting up ssl [7/11]: publish CA cert [8/11]: creating a keytab for httpd [9/11]: configuring SELinux for httpd [10/11]: restarting httpd creation of replica failed: Command '/sbin/service httpd restart ' returned non-zero exit status 1 Looking in /var/log/httpd/error_log shows: [Tue Jun 28 14:50:35 2011] [error] Certificate not found: 'Server-Cert' This seems to be because the password file (/etc/httpd/conf/password.conf) for the certificate db is empty. Version-Release number of selected component (if applicable): 2.0 How reproducible: Every time (for my install at least) Steps to Reproduce: 1. ipa-replica-prepare ipareplica.example.com 2. scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ipareplica:/var/lib/ipa/ 3. ipa-replica-install /var/lib/ipa/replica-info-ipareplica.example.com.gpg Actual results: Replica creation fails Expected results: Replica creation should succeed Additional info: It can be fixed by changing line 300 of ipaserver/install/certs.py from: if passwd is not None: to: if passwd is not None and passwd is not "": This will force create_passwd_file to generate a password if its blank. The source of the problem could also be create_from_cacert(), since its definition makes the passwd default to '' instead of None like all others. The attached patch file should apply the fix.
https://fedorahosted.org/freeipa/ticket/1407
I have a feeling something else is going on, this is the first report like this.
I couldn't reproduce the reported problem but the replica HTTP database was being generated with a blank password. Having an empty password isn't necessarily all that horrible but we don't want to do it by default so I instead made it so we never call with passwd='' by default, instead use passwd=None. master: d43ba5316a08249fa276cdc43338d85f784547f0 ipa-2-0: 5fab4570ad50ff400c2f95a72c9a6668545a2b8f